Multiple Ways to Detect HTTP Options

Hi Friends, today we will walkthrough various HTTP Protocol methods and the tools used to extract those available HTTP methods in a web server. As we are already aware that the HTTP protocol comprises of number of methods that can be utilized to not only gather the information from the web server, but can also perform specific actions on the web server. These techniques and methods are helpful for the web application developers in the deployment and testing stage of the web applications.

GET and POST are the most well-known methods that are used to access and submit information provided by a web server, respectively. HTTP Protocol allows various other methods as well, like PUT , CONNECT , TRACE, HEAD, DELETE .These methods can be used for malicious purposes , if the web server is left misconfigured and hence poses a major security risk for the web application, as this could allow an attacker to modify the files stored on the web server.

OPTIONS : The OPTIONS method is used to request the available HTTP methods on a web server.

GET : GET request is the most common and widely used methods for the websites. This method is used to retrieve the data from the web server for a specific resource. As the GET method only requests for the data and doesnot modify the content of any resources, it’s considered to be safe.

POST : POST requests are used to send (or submit) the data to the web server so as to create or update a resource. The information sent is stored in the request body of the HTTP request and processed further. An example illustrating the same is “Contact us” form page on a website. When we fill a form and submit it, the input data is then stored in the response body of the request and sent across to the server.

PUT : The PUT method allows the end user (client) to upload new files on the web server. An attacker can exploit it by uploading malicious files or by using the victim’s server as a file repository.

CONNECT : The CONNECT method could allow a client to use the web server as a proxy.

TRACE: This method echoes back to the client, the same string which has been sent across to the server, and is used mainly for debugging purposes.

HEAD: The HEAD method is almost similar to GET, however without the message-body in the response. In other words, if the HTTP request GET /products returns a list of products, then the HEAD /products will trigger a similar HTTP request however, won’t retrieve the list of products.

DELETE: This method enables a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a web site or to perform a DoS attack.

Now let us use some tools to identify the HTTP methods enabled or supported by the web server

Metasploit

Metasploit Framework is a well-known platform for developing, testing, and executing exploits. It is an open source tool for performing various exploits against the target machines.

Metasploit has in-built auxiliary modules dedicated to scan HTTP methods. Through the Metasploit framework command line (CLI), we can identify the HTTP Options available on the target URL as follows:

1

2

3

4

useauxiliary/scanner/http/options

set rhosts192.168.1.109

set rport80

exploit

cURL

cURL is a command line tool to get or send the data using the URL syntax and is compatible with various well-known protocols (HTTPS, FTP, SCP, LDAP, Telnet etc.) along with command line (CLI) options for performing various tasks (Eg: User authentication , FTP uploading , SSL connections etc). The cURL utility by default comes installed in most of the distributions. However if in case , cURL is not installed, then we can install the same via apt-get install curl command . For more details refer the below URL

Nmap

Nmap is a free and open-source security scanner, used to discover hosts and services on the network. This is another method of checking which HTTP methods are enabled by using an NMAP script called http-methods.nse, which can be obtained from https://nmap.org/nsedoc/scripts/http-methods.html .

Let us use NMAP command to enumerate all of the HTTP methods supported by a web server on the target URL as follows :

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST,OPTIONS, TRACE) along with highlighting the potentially risk methods (i.e TRACE) out of them .

Netcat

Netcat is a utility tool having the capability to write and read data across TCP and UDP network connections, along with features like in-built port scanning , network debugging and file transfer etc.

Through the Netcat command we can identify the HTTP Options available on the target URL as follows :

1

nc192.168.1.10980

Press enter and the following options appear in the command line . Enter the server details as follows (and as highlighted in red )

1

2

OPTIONShttp://192.168.1.109 / HTTP/1.0

host:192.168.1.109

The screenshot displays the various types of allowed HTTP methods (GET, HEAD ,POST,OPTIONS, TRACE), apart from other server specific information (Server response , version details etc)

Burpsuite

Burp Suite is a platform for performing various security testing for the web applications , from initial mapping and analysis to identifying and exploiting application vulnerabilities.

As we aware that the HTTP OPTIONS method provides us the most effective way to discover the different methods allowed on a HTTP server. So , let us capture the URL request in Burpsuite GUI and change the HTTP method type in the Request section to OPTIONS , as seen below.

As shown , the RESPONSE from the web server not only displays the list of HTTP methods allowed ,however also highlights the server version details (Eg: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL 1.0.0/k DAV/2 PHP/5.4.3)

Author: Ankur Sachdev is Information Security consultant and researcher in the field of Network & WebApp Penetration Testing . ContactHere